The present disclosure relates generally to computer system and network security and, more particularly, to methods, systems, computer program products for protecting a communication network against Advanced Persistent Threats (APTs) by controlling the vectors of potential data exfiltration.
Advanced Persistent Threats (APTs) are one of the fastest growing information security threats that organizations face today. The goals of an APT are typically to steal intellectual property (IP), generated from expensive research, from a targeted organization, to gain access to sensitive customer data, and/or to access strategic business information that could be used for financial gain, blackmail, embarrassment, data poisoning, illegal insider trading and/or to disrupt an organization's business. APTs have become very sophisticated and diverse in the methods and technologies used, particularly in the ability to use an organization's own employees to penetrate the information technology (IT) systems by using social engineering methods. APTs may trick users into opening spear phishing emails, which install specially crafted and customized malware that may contain code to exploit zero-day vulnerabilities in the targeted system. FIG. 1 shows the typical attack infrastructure and how the APT operators carry out most APTs. First, an APT operator, from, for example, an overseas network, launches an attack campaign to compromise public vulnerable servers 150a, 150b, and 150c. Then, the APT operator manually crafts and sends a customized spear phishing email through one or more of the compromised public servers 150a, 150b, and 150c that may contain a malicious URL or attachment that, once clicked, will install a Remote Access Trojan (RAT) on a target device, such as device 160. From this point forward, the attackers have full access to the victim device 160 and to all the data the victim can access. Usually, over a long period of time, the APT operators will manually execute commands, such as command and control (C&C) commands, and will move laterally into the victim's network, compromising other internal resources, such as internal server 165, until they reach the targeted internal resources or data. The data may then be exfiltrated back through the compromised servers 150a, 150b, and 150c and made available to the APT operator.
APT protection effort has focused on stopping malware from entering the enterprise perimeter. A potential problem with this approach is that there may be too many vectors of infection (e.g. email attachments, malicious URLs, USB drives, etc.) and in most cases APT operators use zero day exploits that are not detectable by traditional perimeter based systems. Moreover, once a device is compromised and the APT operators have a foothold in the organization network, there are too many possible outgoing vectors for data exfiltration (e.g. email, raw IP connections, USB drives, etc.). The same problems may persist when the enterprise is moved into the cloud and virtualized apps or desktops are used to access corporate data.
Cloud computing is a computing paradigm where shared resources, such as processor(s), software, and information, are provided to computers and other devices on demand typically over a network, such as the Internet. In a cloud computing environment, details of the computing infrastructure, e.g., processing power, data storage, bandwidth, and/or other resources are abstracted from the user. The user does not need to have any expertise in or control over such computing infrastructure resources. Cloud computing typically involves the provision of dynamically scalable and/or virtualized resources over the Internet. A user may access and use such resources through the use of a Web browser. A typical cloud computing provider may provide an online application that can be accessed over the Internet using a browser. The cloud computing provider, however, maintains the software for the application and some or all of the data associated with the application on servers in the cloud, i.e., servers that are maintained by the cloud computing provider rather than the users of the application.
FIG. 2 illustrates a conventional cloud service model that includes Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS). Infrastructure as a Service, delivers computer infrastructure—typically a platform virtualization environment—as a service. Rather than purchasing servers, software, data-center space or network equipment, clients instead buy those resources as a fully outsourced service. Suppliers typically bill such services on a utility computing basis and the amount of resources consumed. Platform as a Service delivers a computing platform as a service. It provides an environment for the deployment of applications without the need for a client to buy and manage the underlying hardware and software layers. Software as a Service delivers software services over the Internet, which reduces or eliminates the need for the client to install and run an application on its own computers, which may simplify maintenance and support.
Virtualized computing environments may be used to provide computing resources to end users. In a cloud computing environment, the physical hardware configuration is hidden from the end user. Cloud computing systems may include servers, network storage devices, routers, gateways, communication links, and other devices. Because the physical hardware and software platforms on which cloud computing system is implemented are hidden within a “cloud,” they can be managed, upgraded, replaced or otherwise changed by a system administrator without the customer being aware of or affected by the change.
In a typical cloud computing environment, applications may be executed on virtual machines, which are isolated guest operating systems installed within a host system. Virtual machines are typically implemented with either software emulation or hardware virtualization, or both. A single hardware and/or software platform may host a number of virtual machines, each of which may have access to some portion of the platform's resources, such as processing resources, storage resources, etc.
FIG. 3 illustrates a server system 100 for a virtualized computing environment in which the inventive subject matter of the present disclosure can function. The server system 100 generally hosts one or more virtual machines 104 (hereafter virtual machine 104), each of which runs a guest operating system 106 and application 108. The computing needs of users 102 drive the functionality of the virtual machines 104. A virtual hypervisor 110 provides an interface between the virtual machines 104 and a host operating system 112 and allows multiple guest operating systems 106 and associated applications 108 to run concurrently. The host operating system 112 handles the operations of a hardware platform 114 capable of implementing virtual machines 104. A data storage space 116 may be accessed by the host operating system 112 and is connected to the hardware platform 114.
The hardware platform 114 generally refers to any computing system capable of implementing virtual machines 104, which may include, without limitation, a mainframe, personal computer (PC), micro-computer, handheld computer, mobile computing platform, server, or any other appropriate computer hardware. The hardware platform 114 may include computing resources, such as a central processing unit (CPU); networking controllers; communication controllers; a display unit; a program and data storage device; memory controllers; input devices (e.g., a keyboard, a mouse, etc.) and output devices, such as printers. The CPU may be any conventional processor, such as the AMD Athlon™ 64, or Intel® Core™ Duo.
The hardware platform 114 may be further connected to the data storage space 116 through serial or parallel connections. The data storage space 116 may be any suitable device capable of storing computer-readable data and instructions, and it may include logic in the form of software applications, random access memory (RAM), or read only memory (ROM), removable media, or any other suitable memory component. According to the illustrated embodiment, the host operating system 112 stands between the hardware platform 114 and the users 102 and is responsible for the management and coordination of activities and the sharing of the computing resources. In other embodiments, the virtual hypervisor runs directly on the hardware 114 without the intervening host operating system 112.
Although some embodiments of the computer system 100 can be configured to operate as a computer server, the computer system 100 is not limited thereto and can be configured to provide other functionality, such as data processing, communications routing, etc.
Besides acting as a host for computing applications that run on the hardware platform 114, the host operating system 112 may operate at the highest priority level in the server 100, executing instructions associated with the hardware platform 114, and it may have exclusive privileged access to the hardware platform 114. The priority and privileged access of hardware resources affords the host operating system 112 exclusive control over resources and instructions, and may preclude interference with the execution of different application programs or the operating system. The host operating system 112 creates an environment for implementing a virtual machine, hosting the “guest” virtual machine. One host operating system 112 is capable of implementing multiple isolated virtual machines simultaneously.
A virtual hypervisor 110 (which may also be known as a virtual machine monitor or VMM) runs on the host operating system 112 and provides an interface between the virtual machines 104 and the hardware platform 114 through the host operating system 112. The virtual hypervisor 110 virtualizes the computing system resources and facilitates the operation of the virtual machines 104. The hypervisor 110 may provide the illusion of operating at the highest priority level to the guest operating systems 106. The virtual hypervisor 110 maps the guest operating system's priority level to a priority level lower than the top most priority level. As a result, the virtual hypervisor 110 can intercept the guest operating system 106 to execute instructions that require virtualization assistance. Alternatively, the virtual hypervisor 110 may emulate or actually execute the instructions on behalf of the guest operating system 106. Software operations permitting indirect interaction between the guest operating system 106 and the physical hardware platform 114 are also performed by the virtual hypervisor 110.
Virtual machines 104 present a virtualized environment to guest operating systems 106, which in turn provide an operating environment for applications 108 and other software constructs.
Referring to FIG. 4, a virtualized computing environment 200 (referred to generally as cloud 200) may include one or more server systems 100 that may include one or more electronic computing devices operable to receive, transmit, process, and store data. For example, the servers in the cloud 200 may include one or more general-purpose PCs, Macintoshes, micro-computers, workstations, Unix-based computers, server computers, one or more server pools, or any other suitable devices. In certain embodiments, the cloud 200 may include a web server. In short, the cloud 200 may include any suitable combination of software, firmware, and hardware.
The cloud 200 may include a plurality of server systems 100 that are communicatively coupled via a network 112. The network 112 facilitates wireless or wireline communication, and may communicate using, for example, IP packets, Frame Relay frames, Asynchronous Transfer Mode (ATM) cells, voice, video, data, and other suitable information between network addresses. The network 112 may include one or more local area networks (LANs), radio access networks (RANs), metropolitan area networks (MANS), wide area networks (WANs), all or a portion of the global computer network known as the Internet, and/or any other communication system or systems at one or more locations. Although referred to herein as “server systems,” it will be appreciated that any suitable computing device may be used.
Virtual machines and/or other objects in a virtualization environment can be grouped into logical clusters for management and/or operational purposes. For example, virtual machines can be grouped into clusters based on load balancing needs, security needs, redundancy needs, or any other needs as determined by a system administrator. The virtual machines grouped within a cluster may or may not all be implemented on a single physical server. Any desired number of clusters can be defined subject to system limitations, and each of the clusters can include any desired number of virtual machines subject to server limitations.
Virtual machines can be deployed in particular virtualization environments and organized to increase the efficiency of operating and/or managing a virtual computing environment. For example, virtual machines may be grouped into clusters to provide load balancing across multiple servers.
Virtual machines within a same cluster can be managed by a single virtualization environment manager to have same or similar resource access privileges (e.g., processor utilization, priority, memory allocation, communication interface access privileges, etc.), while virtual machines within different clusters can have different resource access privileges.
Virtual machines that are deployed within a single cluster may share physical resources within a server. For example, virtual machines that are deployed within a single cluster may share physical memory, storage, communication facilities and other resources or services of a server. Whenever computing resources are shared, there is the possibility that one virtual machine could intentionally or unintentionally gain access to data of another virtual machine